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Prediction  for  Systems  Subject  to  a Phased  Mission  Profile 


! 
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J . D . Esary 

b«luw  tIUs  Un«-4 

Abstract.  The  term  "phased  mission  profile"  describes  a situation 
in  which  the  factors  that  influence  the  longevity  of  a system  change  in 
the  course  of  a sequence  of  distinct,  successive  periods  of  time  which 
are  the  mission  "phases."  Phased  mission  profiles  tend  to  be  associ- 
ated with  more  general  phased  missions,  in  which  there  can  also  be 
changes  in  the  system  configuration  that  is  relevemt  to  mission  success, 
but  many  systems  with  a stad)le  configuration  are  exposed  to  phased  mis- 
sion profiles. 

Predictions  of  the  probability  of  mission  success  for  a system 
lypicall^  result  from  combining  predicted  probabilities  of  mission  suc- 
cess for  its  components  according  to  a logic  model  for  the  system's 
configuration.  We  investigate  the  effect  that  the  depth  to  which  the 
logic  model  is  carried  has  on  predictions,  when  the  predictions  at  the 
component  level  are  made  using  a "standard"  methodology. 


1.  Introduction.  Reliability  predictions  for  complex  systems  typ- 
ically begin  with  predictions  of  the  probabilities  of  mission  success 
for  the  components  in  a system.  Then  the  component  predictions  are  com- 
bined in  accordance  with  a logic  model  which  describes  how  the  compon- 
ents interact  in  the  system,  e.g.  a block  diagrw  or  a fault  tree.  The 
result  is  a predicted  mission  success  probability  for  the  system, 
safety  predictions  follow  a mathematically  equivalent  pattern  which  pre- 
dicts the  probability  of  occurrence  for  a catastrophic  event  by  using  a 
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logic  model  to  combine  predicted  occurrence  probabilities  for  various 
contributory  events.  In  both  cases  it  is  reason2d>le  to  expect  that  the 
validity  of  the  prediction  process  can  be  affected  by  the  depth  of  the 
logic  mode  , i.e.  by  the  level  of  detail  to  which  the  block  diagram  or 
fault  tree  is  developed,  and  at  which  "component**  predictions  eure  in- 
troduced . 

The  purpose  here  is  to  investigate  an  optimistic  bias  which  can 
arise  from  using  a logic  model  which  is  too  shallow  in  conjunction  with 
the  standard  methodologies  for  making  coo^ponent  level  predictions  from 
historical  experience,  available  test  data,  or  similar  sources.  Ilie 
bias  in  question  can  be  illustrated  by  a simple  example. 

Example  1,1.  A device  D (perhaps  an  actuator  or  a control)  will 
he  required  to  complete  two  identical,  brief  cycles  of  operation  during 
the  course  of  a mission.  Previous  experience  with  the  device  in  a sim- 
ilar service  environment  is  confined  to  a single  operational  cycle  and 
indicates  a .99  probability  that  the  device  will  function  once.  The 
duration  of  the  operational  cycles  is  so  short  that  hardware  aging  is 
not  expected  to  occur.  Extrapola cing  that  the  probability  that  the  de- 
vice will  function  a second  time  is  atiother  .99  leads  to  a predicted 
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success  probability  or  (.99)  « .98ol  for  two  cycles  of  operation, 

as  is  indicated  in  Figure  1.1. 


(.99i^  - .0801 


Cycle  1 


Cycle  ? 


FIGURE  1.1 


However,  if  viewed  in  greater  detail,  the  device  turns  out  to  be  a 
construct  of  two  identical  conqponents,  1 and  2,  that  operate  indepen- 
dently and  in  parallel.  its  single  cycle  reliability  of  .99  results 
from  a single  cycle  success  probability  of  .9  for  each  coaiponent,  i.e. 

.9  V .9  “ .99,  where  V Pj  • 1 - d-Pj^)  (i-Pj)  “ **1  **2  *”  **1*’2  * 

convenient  notation  for  the  reliability  of  a system  with  two  independent 
coatponents  that  function  in  parallel  with  reliabilities  p^  and  p^ 

{see  Figure  1.2). 
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FIGURE  1.2 

Then  it  can  be  recognized  that  the  dr /ice  will  conplete  tv»j  oper- 
ational cycles  if  either  coiqponent  1 or  conponent  2 does  so.  Ex- 
trapolating one  cycle  survival  probabilities  at  the  new  level  of  con- 
ponent  detail  leads  to  a predicted  probability  (.9)  « .81  that  com- 

ponent 1 will  survive  two  cycles,  the  saate  probability  that  component 
2 will  survive  two  cycles,  and  to  a predicted  probability  .81  V .81 
^ .9639  that  the  device  will  survive  two  cycles,  as  in  Figure  1.3. 
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FIGURE  1.3 


In  this  excnple  the  assumption  that  there  will  be  no  hardware 
acjinq  over  the  course  of  two  operational  cycles  has  been  incorporated 
with  experience  at  two  different  modeling  depths.  The  prediction  based 
on  the  more  detailed  mooel  is  the  more  conservative.  □ 

The  scenario  considered  in  Example  1.1  is  an  almost  trivial  exam- 
j<le  of  a phased  mission.  It  has  successive  periods  of  tiSMi  in  which 


eitvirotuuuntal  stresses  are  altered  or  repeated  which  can  be  regarded  as 
mission  phases,  but  the  logic  model  for  the  system  is  the  same  in  each 
^Hiriod.  More  general  phased  missions  can  involve  successive  epochs  of 
time  in  which  there  are  changes  in  the  logic  model  that  is  relevant  to 
system  success  as  %«ell  as  in  the  applied  environmental  stresses.  For 
such  missions  the  depth  of  the  logic  stodels  employed  in  making  reliabil- 
ity predictions  can  have  an  effect  similar  to  that  noted  in  Example  1.1. 

Thu  pioneering  iiiork  on  reliability  analysis  for  phased  missions 
was  motivated  by  the  need  to  predict  mission  success  and  crew  safety 
for  manned  spaceflights.  Kubln  (6,  1964]  and  Schmidt  and  Welsberg 
(7,  1966]  described  an  approximate,  but  conservative,  method  of  ludcing 
reliability  predictions  for  phased  missions.  Certain  weapons  systems 
are  designed  tc  perform  phased  missions.  Bsary  and  Zielims  (4,  1975] 
studied  a transformation  technique  that,  at  least  in  principle,  reduces 
the  prediction  problcup  for  a phased  missioii  to  that  for  a single-phase 
mission.  Ziehms  (9,  1975]  compared  a variety  of  approximate  methods 
for  making  phased  mission  reliability  predictions,  and  identified  those 
which  are  conservative  and  relatively  the  most  accurate.  Bell  [2,  1975] 
considered  a class  of  multi-objiective  phased  missions  in  which  sub-mis- 
sions diverge  from  a main  mission,  and  described  methods  for  predicting 
su^^cess  probabilities  for  single  objectives  and  composite  figures  of 
merit  for  combinations  of  objectives.  Bell  also  considered  allowing 
for  an  "operational  readiness"  phase  in  making  predictions.  Ihls  is  a 
preliminary  phase  of  indeterminate  duration,  prior  to  the  inception  of 
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the  active  miasioii,  durinq  which  components  can  be  repaired  if  they  fail 
in  an  effort  to  maintain  the  readiness  of  the  system.  Pilnick  {5,  19771 
emphasized  tlie  hse  of  graphical  techi^iques  in  conducting  an  expository 
analysis  of  a hypothetical  mission  proposed  by  Bell. 

Recently  Burdick,  Fussell,  liasmuson,  and  Wilson  (3,  1977]  have 
discussed  the  analysis  of  phased  missions  from  the  safety  perspective, 
using  fault  trees  to  represent  the  relevant  logic  models,  and  consider- 
ing exact,  and  selected  approximate,  methods  for  making  predictions. 

They  suggest,  accoi^panied  by  examples,  possible  applications  in  predict- 
ing the  safety  of  nuclear  reactors. 

The  papers  just  cited  contain  assorted  examples  of  phased  missions, 
and  discuss  some  of  the  computational  practicalities  involved  in  their 
analysis.  These  papers  are  focused  on  a proper  accounting  for  shifts 
in  system  configuration  from  phase  to  phase  of  a mission,  under  the 
assumption  that  the  reliabilities  of  the  components  throughout  the 
course  of  the  mission  have  been  correctly  established. 

Attention  here  is  confined  to  a different  aspect  of  the  phased 
mission  problem,  the  origins  of  the  bias  noted  in  Exastple  1.1  and  the 
effect  it  has  on  predicted  probabilities  for  mission  success.  We  will 
seek  to  characterize  those  devices  %diose  reliability  over  a phased  en- 
vironmental profile  can  be  predicted  by  “standard**  methods,  and  then  to 
establiuh  the  modeling  depth  at  vAiich  such  predictions  can  be  introduced 
into  the  analysis  of  a phased  mission.  For  the  present,  only  systems 
vAiose  configuration  is  stable  throughout  the  mission  are  considered. 
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2.  ■ sta  ndard  reliability  predictions  for  phased  mission  profiles . 
Any  mission  that  is  contemplated  for  a device  will  expose  it  to  one  or 
more  service  environments.  From  the  physical  and  human  factors  point 
of  view,  a service  environment  for  a device  is  an  amalgam  of  the 
stresses  (temixirature , vibration)  and  other  factors  (corrosion,  care- 
less operation)  that  influence  its  longevity.  From  the  stochastic 
point  of  view,  the  impact  of  a service  environment  on  a device  can  be 
summarized  by  a probability  distribution  for  the  amount  of  time  the 
device  will  survive  if  exposed  in  that  environment. 

We  will  assume  that  a fully  up  device  introduced  into  a service 
environment  e has  a random,  nonnegative  tioie  to  failure  T . For  our 
Iiurposes  the  probability  distribution  of  T can  conveniently  be  de- 
scribed  by  a survival  function 

(2.1)  F (t)  = PJT  > tj  , t > 0 , 

e e — 

which  gives  the  probability  that  the  device  will  survive  a mission  of 
whatever  duration  t in  environment  e.  Or,  f.n  some  cases,  the  dis- 
tribution of  T can  be  described  by  a failure  rate  for  the  device  in 
e 

environment  e,  i.e.  by  a nonnegative  function  r^(t),  t ^ 0,  such  that 

t 

r (s)dB 

(2.2)  F (t)  « e ° , t > 0 . 

e — 


e 


It  is  usually  the  case  that  there  is  a multipi ..city  of  service  en- 
viroiunents  in  which  a device  may  be  used.  We  will  suppose  that  a de- 
vice cam  be  exposed  to  a range  E of  possible  service  environments  e, 

each  characterized  by  a survival  function  F for  the  device  in  that 

e 

environment,  or  perhaps  by  a failure  rate 

For  many  devices  a typical  mission  requires  exposure,  for  various 

periods  of  time,  to  a sequence  of  distinct  service  environir  mts.  For 

such  a device,  a phased  mission  profile  will  be  a sequence  e ,e 

12  m 

of  environments  to  which  it  is  successively  exposed,  accompanied  by  a 
sequence  *^2'  ' ^m  times  which  are  the  durations  of  the  ex- 

posures in  each  environment. 


d 


1 


d 

2 


d 

m 


Environment 

e. 


Environment 

e_ 


Environment 

e 

m 


There  is  often  a need  to  predict  the  probability  that  a device 
will  operate  successfully  throughout  phased  mission  profile,  using 
knowledge  of  its  reliability  in  each  of  the  service  environments  in- 
volved as  a point  of  departure.  A.  basic  saotivation  for  this  paper  is 
the  presumption  that  there  is  a widely  used  (standard)  methodology  for 
doing  this  which  is  illustrated  by  the  following  example. 
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Example  2.1,  A device  (perhaps  a generator)  has  two  niodes  of  oper- 
ation, active  and  passive.  Its  failure  rate  in  the  passive  mode  is  be- 
lieved to  be  a constant  failures/hr.  its  failure  rate  in  the  ac- 

tive mode  is  believed  to  be  a constant  X^  failures/hr  (presumably 
X,  > X^). 

For  a mission  in  which  d^  hours  of  passive  operation  are  fol- 
lowed by  d^  hours  of  active  operation,  our  standard  methodology  draws 
the  failure  rate  profile  sho%m  in  Figure  2.1. 


FIGURE  2.1 


Then  in  keeping  with  equation  (2.2),  the  area  ^2*^2 

the  failure  rate  curve  is  found,  and  the  probability  of  success  for  the 

-(X  d +X  d ) 

mission  is  predicted  to  be  e 
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Uquivalontly , the  probability  of  mission  success  is  predicted  to 


Fi(dj)  ^ 


where  Fj^(t)  - e and  F^  (t)  =e  are  the  survival  functions 

for  the  device  in  the  passive  and  active  operating  modes.  □ 

The  reader  cein  consider  his  own  variations  on  the  scenario  of 
Example  2.1,  involving  shifts  in  stresses,  repeated  duty  cycles,  or 
similar  features,  to  see  if  he  agrees  with  the  general  dec  ;iiption  of 
fea'jible  practice  contained  in  the  following  paragraph. 

In  general,  without  requiring  the  existence  of  failure  rates,  we 

will  say  that  the  standard  method  for  predicting  the  reliability  of  a 

device  over  a phased  mission  profile  is  to  equate  the  probability  of 

mission  success,  i.e.  the  probability  that  each  period  of  exposure  to 

each  service  environment  is  survived  in  turn,  to  the  product  of  the 

probabilities  that  each  environmental  exposure  would  be  survived  if 

undertaken  separately.  For  the  phased  mission  profile  ®2'‘^2' 

...  ; e ,d  we  can  express  the  standard  prediction  by  writing 
m tn 


(2.3) 


F(d^,  d^,  ...  , dj  « ^2  ^**2^ ' 


where  F(d  , d , ...  , d ) is  notation  for  the  probability  of  surviving 
12  m 

the  sequence  of  exposures  of  durations  **•  * ^ 

shortened  notation  for  the  survival  function  of  the  device  in  environ- 
ment e^ , j ■ 1 , ...  , m. 


For  example,  the  Review  Committee  for  tiiis  manuscript  h*s  indicated 
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that  the  standard  method  is  essentially  that  implemented  by  the  KITT-‘2 
computer  code  in  treating  phased  mission  profiles.  See  Veseley  and 
Narum  [8,  1970]. 

3.  Degradable  euid  nondegradable  devices.  The  atandard  prediction 
method  considered  in  Section  2 assxtftes  that  a device  enters  each  new 
service  environment  with  its  survival  potential  unimpaired.  Although 
failure  is  permitted  in  the  course  of  a mission,  deterioration  is  not. 

More  fomally,  we  will  say  that  a device  is  nondegradable  if 

(3.1) 

for  all  periods  of  exposure  ^ service  environments 

in  E the  range  of  possible  environments  to  which  the  device  may  be 
exposed.  As  an  alternative,  a device  is  degradable  if 

(3.2)  ^^(dj^id^)  ^2 ^**2^ 

for  all  exposures  environments  ^ inclusion 

of  the  clai»s  of  nondegradable  devices  within  the  class  of  degradable 
devices  as  a boundary  case  reflects  a conve.iv  ion  that  has  proved  con- 
venient in  treating  similar  notions. 

Systems  formed  from  nondegradable  ccMypOhonts  can  be  either  nonde- 
gradable or  degradabln,  as  is  .'hown  by  the  following  exaBC>le. 

Example  3.1.  A two  component  series  system  functions  as  long  as 
both  its  components  function.  Xf  the  cotqponents  fail  independently, 
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i ' ' 
» 


then  F(d^,d^)  Hid^^.d^)  and  H^d^), 

j « 1,2,  where  F denotes  a survival  function  pertaining  to  the  system 
and  G,n  denote  survival  functions  pertaining  to  the  components. 

If  the  con^nents  in  a two  component  series  system  are  nondegrad- 


ablc,  then 


F(d^,d2)  - G(dj^.d2)  H(dj^,d2) 


Gi(di)  G^Cd^)  • H^(d^) 


for  all  d ,d  and  e ,e  in  E,  the  range  of  service  environments 
12  12 

for  the  system.  Thus  the  systcan  is  nondogradable . There  is  a tacit, 
but  reasonable  assumption  made  that  the  range  of  service  environments 
for  the  system  is  contained  in  the  range  of  service  environments  for 
each  of  its  components. 

A two  component  parallel  system  functions  as  long  as  either  of  its 
c:oirp.>nents  functions.  If  the  components  fail  independently,  then 
F(d^,d2)  - G(dj^,d2)  v H(dj^,d2)  and  Fj(d^)  - (d  J V (d^)  , j - 1,2. 

If  the  components  in  a two  component  parallel  system  are  nondegrad- 


able,  then 


F(dj^,d2)  - G(d^,d2)  V Uidyd^) 

- G^(d^)  G^Cd^)  V H^<d^)  »2‘‘*2^ 

<{G^(dj^)  V Hj_(d^)}{G2(d2)  VH2(d2)} 


tor  all  d^,  d^  ^nd  in  E (for  the  system).  Thus  the  system 

is  deijradable.  The  crucial  step  in  the  argument  depends  on  the  inequal- 
ity  P^p^  V q^q2  1 v q^)  (P2  v q2).  where  p^,  q^,  qj  are  prob- 

abilities. This  inequality  can  be  verified  by  inspection  if  block  dia- 
grams are  compared  for  a system  with  reliability  equal  to  the  left  side 
of  the  inequality!  and  a system  with  reliability  equal  to  the  right 
side  of  the  inequality.  U 

A trivial  extension  of  the  argument  used  in  Example  3.1  for  a two 
component  series  system  justifies  the  following  remark. 

Remark  3.1.  If  the  components  in  a series  system  fail  indepen- 
duntly,  and  each  component  is  nondegradable , then  the  system  is  non- 
dog ladabie . 

A general  class  of  systems  that  contains  the  two  coi^ponent  systems 
considered  in  Example  3.1  is  the  class  of  coherent  systems  (see  Barlow 
and  Proschan  (1,  1975]!  Chapters  1 and  2).  These  systems  2u:e  character- 
ized by  the  conditions: 

(i)  If  all  the  components  in  the  system  function!  then  the 
system  functions. 

(ii)  If  all  the  components  in  the  system  fail,  then  the  system 
fails. 

(iii)  Restoring  a failed  conponent  will  not  cause  a functioning 
system  to  fail . 


System^;  whusu  loijio  models  can  be  represented  by  conventional  block 
diagrams,  or  by  fault  trees  using  only  "and"  and  "or"  gates  are 
coherent . 

The  roliability  function 

(3.3)  p = h(pj^,  ...  , p^) 

of  a system  (coherent  or  not)  relates  the  prob^U3ility  p that  the 

system  will  function  to  the  prob£d>ilities  p, , ...  , p that  its  n 

1 n 

comtx)nents  will  function  when  the  components  fail  independently.  The 
reliadtility  function  of  a coherent  system  satisfies  the  inequality 

(3.4)  p„)  h(q^ q^) 

for  all  probabilities  p^,  q^,  i = i,...,n  ({1],  Theorem  1.3,  page  23). 

Equality  holds  when  0<p^<l,0<q^<l,  i*  only  if  the 

system  is  a series  system. 

A system  of  independent  components  is  degradable  if 

(3.5)  ^(dj^.d^)  - hiG^^Ndj^.d^)  , ...  , G^"^(d^,d2)} 

< hiG^^^dj^),  , G^'^Nd^)} 

•h(G‘^N<  J 

- F (d.)  F,(d,)  , 

i.  1 2 2 

where  F denotes  a survival  function  pertaining  to  the  system,  and 

i » l,...,n,  denote  survival  functions  pertaining  to  the  compo- 
nents. The  system  is  nondegradable  if  equality  holds  in  (3.5) . 
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If  tlie  components  in  a system  are  nondegradaible , then 


(3.6)  ...  , G^^Nd^.d^)} 


hfcJ^Nd  ) Gf''(d  ),  ...  , s/^^Cd  ) Gj”^{d  )}. 

.v1a2 


If  the  components  in  a coherent  system  are  degradidale,  then 


(3.7)  hlG^^^  (d^,d2) G^"^(d^,d2)} 


< h{G^^^(dj^)  G^^^dj).  ...  , G^"^d^)  G^”^(d,)l, 


since  the  reliability  function  of  a coherent  system  is  incre^.slng  In 
each  of  its  arguments  ((1]>  Theorem  1.2«  page  22). 

In  view  of  (3.5),  augmented  by  (3.7),  the  following  theorem  is  a 
direct  consequence  of  inequality  (3.4). 

Tl.eorem  3.2.  A coherent  system  of  independent,  degradable  (in- 
cluding nondegradable)  comfKjnents  is  degradable. 

The  following  remark  can  be  estj*bllshed  from  the  condition  for 
equality  in  inequality  (3.4). 

Remark  3.3.  If  a coherent  syatea  of  independent,  nondegradable 
comiKjnents  is  itself  nondegradable , and  if  aatongst  the  range  of  its 
possible  service  environments  there  is  one  environment  in  which,  for 
some  period  of  exposure,  the  survival  of  each  component  is  ixeither 
impossible  or  certain,  then  the  system  must  be  a series  system. 

The  practical  import  of  Remark  3.3  is  that  only  series  systems  of 
notidegradable  components  can  be  treated  as  nondegradable,  unless  thon.' 

In 


are  some  atypical  constraints  on  the  range  of  service  environments 
umbraceJ  by  a mission. 

Remark  3.3  also  serves  to  emphasize  that  the  notions  of  a nonde- 
gradable  or  a degradable  device  are  defined  by  the  relationships  (3.1) 
and  (3.2)  relative  to  some  range  of  possible  service  environments  E. 
These  definitions  are  streiigthened,  in  a natural  and  appropriate  way, 
if  the  range  of  service  environments  to  which  the  device  may  be  expcsed 
is  assumed  to  have  the  following  closure  property. 

A range  £ of  possible  service  environments  is  complete  if,  when- 
ever e^,  e^,  ...  are  environments  in  E,  then  the  environment  e 
which  consists  of  an  exposure  of  arbitrary  duration  d^  to  e^, 
followed  by  an  exposure  of  arbitrary  duration  d^  to  e^,  and  so  on, 
is  also  in  E. 

In  essence,  E is  complete  if  every  phased  mission  profile  that 
can  be  constructed  from  environoents  present  in  £ is  also  to  be  found 
in  E. 


If  a device  is  nondegradable  with  respect  to  a complete  range  of 

service  environments  E,  then  for  each  phased  mission  profile 

e.,d„;  ...  , e ,d  constructed  from  environments  in  E, 

2 2 to  m 


(3.8) 


P(d, , . . . , d ) - F,  , (d,  + 

X on  Xf  * « • ^o*x  X 


+ d ,)  F (d  ) , 
m-1  m m 


where  F,  , (d,  4-  • • • 'f  d .)  is  notation  for  the  probability 

1 , • . . , m- 1 1 m-i 

that  the  device  will  survive  an  exposure  of  duration  d,  4-  •••  4-  d_  . 

X n*X 
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to  thu  compositu  environicent  e,  ,d,  ; ; e , ,d  , which  is  now  in 

^ 11  m-1  m-1 

£.  Iterating  the  argument  leads  to 


(3.9) 


F(d-,  ...  . d J - F, (d  ) F (d  ) •••  F^(d^) 
j.  m mm 


Similarly,  if  a device  is  degrad^d}le  with  respect  to  a complete  range 
of  service  environments  £,  then 

(3.10)  F(d,,  ...  , d^)  < F,  (d.)  F,(d.,)  •••  P (d  ) . 

1 m~xx^^  mm 

Thus  the  standard  method  for  predicting  the  reliability  of  a 
device  over  a phased  mission  profile  is  precise  if  the  device  is  non- 
degrad^d^le  with  respect  to  the  coatplete  range  of  service  environments 
embraced  by  the  mission,  and  is  optimistic  if  the  device  is  degradable. 


4.  System  reliadaility  predictions  for  phased  mission  profiles. 
There  is  an  elaboration  of  the  standard  metliod  for  predicting  tlie  prob- 
ability c£  mission  success  over  a phased  ad-ssion  profile  e^,d^;  ^2*^2’ 

...  : e ,d  which  is  frequently  used  for  complex  systems.  This  method 
m m 

has  two  stages: 

(a)  For  each  component  i ->  1,  ...  , n in  the  system,  the 

probability  G^^^(d. , , d ) of  mission  success  is 

X 81 

predicted  by  the  standard  method  to  be  (d, ) * • *5^^^  (d  ). 

i 1 mu 

(b)  The  system  probability  F(d. . ...  , d ) of  sdssion 

X 81 

success  is  predicted  by  cosiblning  the  component  pre- 
dictions using  the  system  reliability  function  h, 


I 


i.e.  by 


h(G^‘’(dj)  • 


i!i  m 


(d  ) }, 
m m 


We  will  call  this  procedure  the  refined  standard  prediction  method. 

Assuming  that  the  components  in  the  sy  tern  perform  independently, 
the  precise  relationship  which  the  refined  standard  prediction  method 
approximates  is 


(4.1) 


F(d^. 


. d ) - h{G^^Nd,  d^) G‘"^(d,  d )} 

ffi  1 m 1 m 


If  the  coiqponents  are  independent  and  are  nondegradable  with 
respect  to  the  complete  range  of  service  environments  embraced  by  the 
mission,  then  the  refined  standard  prediction  method  is  exact.  This 
observation  is  confirmed  by  using  (3.9),  at  the  component  level,  in 
conjunction  with  (4.1). 

However,  if  the  system  is  coherent,  its  components  are  independent, 
and  are  degradable  with  respect  to  the  complete  range  of  service  en- 
vironments embraced  by  the  mission,  then  the  refined  standard  prediction 
method  is  optimistic,  i.e.  it  over-predicts  the  probability  of  mission 
success.  This  observation  Is  confirmed  by  using  (3.10),  at  the  component 
level,  in  conjunction  with  (4.1)  and  the  fact  that  h is  increasing. 

It  is  interesting  to  compare  the  result  of  predicting  the  system 

mission  success  probability  F(d. , ...  , d ) by  direct  application  of 

1 m 

the  standard  method  with  the  result  of  using  the  refined  standard 
method.  In  the  direct  approach  F(d^,  ...  , d^)  is  predicted  accord- 
ing to  (2.3)  with 


(4,2) 


$ • • • 9 


i 


F.(d.)  - (d.) 

j 3 Id 


(d^)} 


j * I#  ,,,  t 

With  P(d, , ...  , d ) defined  by  (4.1)  and  F.  (d.),  i ••  1,  ...  ,m, 
1 « j j 

defined  by  (4.2),  the  inequality 


(4.3)  F(dj,, 


d ) < hiG.^^^d.)  (d  ) 

m — X 1 mm 


•“  ^l^^l^’  *** 


F (d  ) 
m m 


(d.  ) •••G‘”Nd^)} 

1 Di  n 


holdii  for  a coherent  system  with  Independent  components  that  are  de- 
gradable with  respect  to  the  complete  range  of  service  enylronments 
embraced  by  the  mission.  As  was  the  case  In  the  a..guBients  supporting 
Theorem  3.2,  the  first  inequality  In  (4.3)  holds  because  h Is  in- 
creasing, and  the  second  inequality  is  a consequence  of  (3.4). 

Thus  the  refined  standard  prediction  method,,  while  optlmlstl  ? if 
applied  using  degradable  components.  Is  less  optimistic  than  the  direct 
application  of  the  standard  prediction  method  to  the  system  Itself. 

In  many  cases  the  degradable  components  In  a coherent  system  are 
themselves  modules  (coherent  subsystems  with  nonoverlapping  component 
subsets)  of  more  basic  degradable  components,  and  these  components  may 
in  turn  be  modules,  and  so  on.  Component  Independence  at  the  most 
basic  level  Is  reflected  as  modular  independence  at  the  higher  levels 
of  amalgamation.  In  this  situation  it  in  easy  to  extend  the  preceding 
considerations  to  show  that  the  refined  standard  prediction  method  be- 
comes less  optimistic  as  the  modeling  depth  at  which  standard  component 
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(irt-li  Jtioiis,  ate  introduced  is  increased.  As  previously  noted,  if  the 


model inq  depth  can  be  carried  to  a level  at  which  the  components  are 
nondeqradable,  tlien  the  refined  standard  method  becomes  exact. 
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